1+ #!/bin/bash
2+ #####################################################################################
3+ # #
4+ # Syntax: fixcerts DOMAIN #
5+ # #
6+ # Use: Extend Letsencrypt SSl certificates for commonly grouped services such as #
7+ # Apache,Postfix,Dovecot using Certbot. Useful for keeping all client #
8+ # applications referencing the same virtual domain name, such as auto-config #
9+ # email clients on phones, i.e. mailuser@mydomain.TLD smtp.mydomain.TLD #
10+ # imaps.mydomain.TLD instead of mailuser@mydomain.TLD mail.ISPmaildomain.TLD #
11+ # Also useful when sending mail through services like Gmail that will #
12+ # validate sender through a negotiated TLS encrypted connection. #
13+ # #
14+ # Ex: sh fixcerts myhosteddomain.com #
15+ # #
16+ # Prerequisites: #
17+ # - A Letsencrypt certificate for the DOMAIN must already exist #
18+ # - A seperate certificate each for Dovecot and Postfix were previously generated #
19+ # - All new host names to add MUST already exist in DNS at least as a CNAME #
20+ # - Edit the Dovecot/Postfix conf to use the alternate certificate #
21+ # - Set the variable wr_file to a directory that certbot can read and write from #
22+ # - Set the dom_cert=,dv_cert=,pf_cert=,dv_file=, and pf_file= variables #
23+ # #
24+ # In my case, I ran: #
25+ # certbot certonly -webroot /usr/local/ispconfig/interface/acme -d dc.hrst.xyz #
26+ # certbot certonly -webroot /usr/local/ispconfig/interface/acme -d pf.hrst.xyz #
27+ # to create the separate Dovecot and Postscript certificates, then edited and #
28+ # ran the script to extend those certificate, once per hosted domain #
29+ # #
30+ # If you use only one alternate certifcate for both mail services, set both dv_file #
31+ # and pf_file to the same file name and set one of _cert files="" and #
32+ # use the other. If you don't wish to add to a particular certificate, set the #
33+ # variable ="", such as dom_cert #
34+ # TODO: Pre-validate desired additions as already existing in DNS #
35+ # Generate SRV Records and add to DNS to autoconfig clients #
36+ # #
37+ # Author: tad.hasse@gmail.com #
38+ # #
39+ #####################################################################################
40+
41+ #bail out on error
42+ set -e
43+
44+ # Hostnames to add to the main domain certificate
45+ dom_cert="webmail"
46+
47+ # Hostnames to add to the Dovecot domain certificate
48+ dv_cert="pop3s imap"
49+
50+ # Hostnames to add to the Postfix domain certificate
51+ pf_cert="mail smtp smtps"
52+
53+ # Name of the certificate file that handles Dovecot
54+ dv_file="dc.hrst.xyz"
55+
56+ # Name of the certificate file that handles Postfix
57+ pf_file="pf.hrst.xyz"
58+
59+ # Writeable webroot for certbot (I use ISPConfig,
60+ wr_file="/usr/local/ispconfig/interface/acme"
61+
62+ new_cert=""
63+ nanobot=""
64+ affected_services=""
65+
66+ if [ -z "$1" ] # Is parameter #1 zero length?
67+ then
68+ echo "-No DOMAIN specified" # Or no parameter passed.
69+ exit 1
70+ fi
71+
72+ #live_check='/etc/letsencrypt/live/'$1
73+ if [[ ! -d '/etc/letsencrypt/live/'$1 ]]; then
74+ echo "- DOMAIN certificate for \"$1\" not found -"
75+ exit 1
76+ fi
77+
78+ if [[ ! -d '/etc/letsencrypt/live/'${dv_file} ]]; then
79+ echo "- Dovecot/postoffice certificate" ${dv_file}" for \"$1\" not found -"
80+ exit 1
81+ fi
82+
83+ if [[ ! -d '/etc/letsencrypt/live/'${pf_file} ]]; then
84+ echo "- Postfix/mail certificate" ${pf_file}" for \"$1\" not found -"
85+ exit 1
86+ fi
87+
88+ # Have certbot generate its current certificate list for use as input
89+ certbot certificates >~/certfile
90+
91+ # Extend base domain certificate which typically only contains the domain.TLD and www.domain.TLD
92+ if [[ ! -z "${dom_cert}" ]]; then
93+ echo
94+ new_cert=$(echo $dom_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
95+ echo "Adding" ${new_cert} " to "$1
96+ nanobot=$(grep -A1 "Certificate Name: "$1 certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed 's/ / -d /g')
97+ doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
98+ ${doit_cert}
99+ affected_services=${affected_services}+"A"
100+ else
101+ echo "Domain Certificate unaffected"
102+ fi
103+
104+ # Extend the Dovecot certificate
105+ if [[ ! -z "${dv_cert}" ]]; then
106+ echo
107+ new_cert=$(echo $dv_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
108+ echo "Adding" ${new_cert} " to "${dv_file}
109+ nanobot=$(grep -A1 "Certificate Name: "${dv_file} certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed 's/ / -d /g')
110+ doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
111+ ${doit_cert}
112+ affected_services=${affected_services}+"D"
113+ else
114+ echo "Dovecot Certificate unaffected"
115+ fi
116+
117+ # Extend the Postscript certificate
118+ if [[ ! -z "{$pf_cert}" ]]; then
119+ echo
120+ new_cert=$(echo $pf_cert| sed -e "s/ /.$1 /g" -e 's/ / -d /g' -e "s/$/.$1 /g" -e 's/^/-d /g')
121+ echo "Adding" ${new_cert} " to " ${pf_file}
122+ nanobot=$(grep -A1 "Certificate Name: "${pf_file} certfile |awk -F': ' '{ {getline}; $1=""; print }'|sed 's/ / -d /g')
123+ doit_cert=$(echo "certbot certonly --webroot -w ${wr_file}${nanobot} ${new_cert}")
124+ ${doit_cert}
125+ affected_services=${affected_services}+"P"
126+ else
127+ echo "Postfix Certificate unaffected"
128+ fi
129+
130+ if [[ $affected_services == *"A"* ]]; then
131+ echo "Remember to restart the httpd service"
132+ fi
133+ if [[ $affected_services == *"D"* ]]; then
134+ echo "Remember to restart the dovecot/postoffice service"
135+ fi
136+ if [[ $affected_services == *"P"* ]]; then
137+ echo "Remember to restart the postfix/sendmail service"
138+ fi
139+
140+ echo
141+ echo
142+ echo "Add the following SRV records to DNS for client setup for "$1
143+ if [[ $affected_services == *"D"* ]]; then
144+ echo "_imaps._tcp."$1 "SRV 3600 4 60 993 imaps"
145+ echo "_pop3s._tcp."$1 "SRV 3600 6 60 995 pop3s"
146+ echo "_imap._tcp."$1 " SRV 3600 8 60 143 imap"
147+ fi
148+ if [[ $affected_services == *"P"* ]]; then
149+ echo "_smtps._tcp."$1 "SRV 3600 8 60 465 smtps"
150+ echo "_smtp._tcp."$1 " SRV 3600 10 60 587 smtp"
151+ fi
0 commit comments